Bump to latest 2.0.26 release
apache2/mod_proxy_uwsgi: let httpd handle CL/TE for non-http handlers CVE-2024-24795 (Eric Covener)
remove race-condition over termination of uWSGI process when using need-app and lazy-apps (Hanan .T)
fix 32-bit compilation with GCC14 (Rosen Penev)
uwsgiconfig: get compiler version with -dumpfullversion (Riccardo Magliocchetti)
Fix uwsgi_regexp_match() with pcre2 (Alexandre Rossi)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Updated 010-configure-uname.patch as source changed.
Removed 100-example-conf-in.patch as not needed any more.
Release message:
This release has a fix for the DNSBomb issue CVE-2024-33655. This has a
low severity for Unbound, since it makes Unbound complicit in targeting
others, but does not affect Unbound so much.
To mitigate the issue new configuration options are introduced.
The options discard-timeout: 1900, wait-limit: 1000
and wait-limit-cookie: 10000 are enabled by default. They limit the
number of outstanding queries that a querier can have. This limits
the reply pulse, and make Unbound less favorable for the issue.
With the config wait-limit-netblock and wait-limit-cookie-netblock
the parameters can be fine tuned for specific destinations.
More information on the attack and Unbound's mitigations are
presented further down.
Other fixes in this release are that Unbound no longer follows symlinks
when truncating the pidfile. Unbound also does not chown the pidfile,
this is for safety reasons. There are also a number of fixes for RPZ, in
handling CNAMEs. There is a memory leak fix for the edns client subnet
cache. For DNSSEC validation a case is fixed when the query is of type
DNAME. The unbound-anchor program is fixed to first write to a temporary
file, before replacing the original. This handles disk full situations,
and because of it unbound-anchor needs permission to create that file,
in the same directory as the original file. There is also a fix for
IP_DONTFRAG, to disable fragmentation instead of the opposite.
The option cache-min-negative-ttl can be used to set the minimum TTL
for negative responses in the cache. It complements existing options to
set the maximum ttl for negative responses and to set the minimum and
maximum ttl but not specifically for negative responses.
The option cachedb-check-when-serve-expired option makes Unbound use
cachedb to check for expired responses, when serve-expired is enabled,
and cachedb is used. It is enabled by default.
The -q option for unbound-checkconf can be added to silence it when
there are no errors.
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Remove one patch - instead of messing with BUILDCXXFLAGS there we
properly define it via CONFIGURE_ARGS inside Makefile of the package.
Refresh remaining patch.
Signed-off-by: Aleksey Vasilenko <aleksey.vasilenko@gmail.com>
* fixed a possible "Argument list too long" error in the f_log function
* fixed multiple, incomplete digit character classes
* fixed/optimized split file handling
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Remove the ancient package with experimental cake options,
from time when cake was not yet officially here.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The message 'MM_CONNECT_IN_PROGRESS' is a status message, not an error
message. To avoid confusion, the message has been removed.
Signed-off-by: Oliver Sedlbauer <osedlbauer@tdt.de>
This commit improves the automatic reconnect logic. If the modem cannot
establish a connection, for example due to poor reception, the
proto_block_restart prevents the interface from trying to reconnect.
To enforce the connection, this commit adds a new option that allows the
system to attempt to establish a connection indefinitely.
Signed-off-by: Oliver Sedlbauer <osedlbauer@tdt.de>
* made sure, that the domain lookup always add the found IPs to the underlying allow-/blocklist-Set
* major readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
- Switch source to .xz according to CONTRIBUTING.md
- Switch project URL to HTTPS
- Drop upstreamed patch
- Refresh remaining patch
- Adopt the package
Signed-off-by: krant <aleksey.vasilenko@gmail.com>
Fixes:
zebra/zebra_netns_notify.c: In function 'zebra_ns_ready_read':
zebra/zebra_netns_notify.c:265:40: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
265 | if (strmatch(VRF_DEFAULT_NAME, basename(netnspath))) {
| ^~~~~~~~
Fixed by including libgen.h, then since basename may modify its
parameter, allocate a copy on the stack, using strdupa, and pass the
temporary string to basename.
According to the man page for basename:
With glibc, one gets the POSIX version of basename() when
<libgen.h> is included, and the GNU version otherwise.
The POSIX version of basename may modify the contents of path,
so we should to pass a copy when calling this function.
[1] https://man7.org/linux/man-pages/man3/basename.3.html
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
The IETF fork is unmaintained. In addition, the versioning is incompatible with apk.
010-uclibc.patch is pointless as uclibc is no longer used by OpenWrt.
020-fix-core-dump-while-parsing-interface-list.patch was an upstream
backport. No longer needed.
Added tls=no to avoid mbedtls dependency.
mDNSIdentify is gone.
Added back patches from version 878.200.35. They required manual
refreshing. 120-reproducible-builds.patch is probably needed. Not sure
about 100-linux_fixes.patch.
Add OpenEmbedded patches. Some crash fixes. mdnsd is less noisy with
them.
Log stderr to the log. Otherwise there's no output.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
You have to enable the CONFIG_TCP_MD5SIG kernel config option to be able
to use the BGP MD5 authentication.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Add to uci-defaults script a migration from old deprecated options to new:
use_staging to staging
keylength to key_type
remove standalone
add missing validation_method
We still support the old options in the acme.init if old config was copied after installing of the newer version of the acme-common.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
- Remove obsolete OpenSSL patch - upstream handles it by itself now
- Refresh another patch
- Remaining patches are unaffected
Signed-off-by: krant <aleksey.vasilenko@gmail.com>
struct msghdr under musl uses padding ints for 64-bit, which means we
can't direct initialize like this. Switch to initializing each member
explicitly.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
